* Allow simple alphanumeric style attribute values in the htmlscrubber. This

should be safe from javascript attacks.
master
joey 2007-07-11 16:50:59 +00:00
parent 68ae662e6f
commit a8fa52080d
4 changed files with 31 additions and 18 deletions

View File

@ -31,7 +31,8 @@ sub scrubber { #{{{
span strike strong sub sup table tbody td textarea
tfoot th thead tr tt u ul var
}],
default => [undef, { map { $_ => 1 } qw{
default => [undef, { (
map { $_ => 1 } qw{
abbr accept accept-charset accesskey action
align alt axis border cellpadding cellspacing
char charoff charset checked cite class
@ -44,7 +45,11 @@ sub scrubber { #{{{
selected shape size span src start summary
tabindex target title type usemap valign
value vspace width
}, "/" => 1, # emit proper <hr /> XHTML
} ),
"/" => 1, # emit proper <hr /> XHTML
"style" => qr{^[-a-zA-Z0-9]+$}, # only very simple
# references allowed,
# to avoid javascript
}],
);
return $_scrubber;

4
debian/changelog vendored
View File

@ -7,8 +7,10 @@ ikiwiki (2.4) UNRELEASED; urgency=low
* Support building on systems that lack asprintf.
* mercurial getctime is currently broken, apparently by some change in
mercurial version 0.9.4. Turn the failing test case into a TODO test case.
* Allow simple alphanumeric style attribute values in the htmlscrubber. This
should be safe from javascript attacks.
-- Joey Hess <joeyh@debian.org> Sun, 08 Jul 2007 20:25:00 -0400
-- Joey Hess <joeyh@debian.org> Wed, 11 Jul 2007 12:23:41 -0400
ikiwiki (2.3) unstable; urgency=low

View File

@ -7,7 +7,12 @@ to avoid XSS attacks and the like.
It excludes all html tags and attributes except for those that are
whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
Notably it strips `style`, `link`, and the `style` attribute.
Notably it strips `style` and `link`.
For the `style` attribute, it varys slightly from the Universal Feed
Parser, accepting simple alphanumeric style attributes (style="foo"), but
stripping anything more complex to avoid any of the ways to insert
JavaScript via style attributes.
It uses the [[cpan HTML::Scrubber]] perl module to perform its html
sanitisation, and this perl module also deals with various entity encoding
@ -36,3 +41,4 @@ plugin is active:
* <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span>
* <span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">entity-encoded CSS script test</span>
* <span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;">entity-encoded CSS script test</span>
* <span style="pretty">OTOH, this is ok, and will be accepted</a>

View File

@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2007-07-08 20:26-0400\n"
"POT-Creation-Date: 2007-07-11 12:49-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"